Widdershins: Politics, De-evolution and the State of the Internet
Widdershins. Why Widdershins? I first brought up this word at DefCon 9.
To explain, let me quote from my DefCon talk.
"The circle is a symbol used in many cultures to signify an unbroken cycle
or chain. In Wicca, a practitioner will cast a circle around the ritual
area at the beginning of the ritual, moving clockwise, or deosil. A
"sacred space" for worship and magick is created, with the circle allowing
protection from outside forces, and a concentrated focus of energies to be
contained within the circle. At the end of the ritual, the practitioner
will move counter-clockwise, or widdershins, to release and return the
energy contained within the circle back from whence it came.
As is the case with most religions, its symbolism is reflected within
society. "Social" circles expand and contract. And society has a tendency
to draw circles around itself using divisions such as class and race to
try to contain themselves. But as history has shown us, all of these
circles are eventually undone, and what is contained within them is
released and returned to the elements from which it was drawn.
What if the circle is a technological one? Or what if the so-called magick
within a closed circle is technological in nature? How do we release
*that* type of magick?"
In that talk, I described a de-evolving technological society. Circles
of treaties, laws, and political movements. A steady encrouchment upon
civil liberties. Before the terrorist attacks on my birthday on September
11th, I stated that the Internet is rapidly de-evolving through a series
of political actions and many of our freedoms are either illegal or may
soon become so. I also stated that the nation state was giving way to
the transnational corporate/government hybrid, which is happening much
faster than I originally anticipated. The terrorst attacks against the
United States were more of an attack against the ways of the West than
against our nation. And the attack was not committed by a nation state,
but a distributed entity with elements inside of dozens of different
nation states. The fact that some nation states, or elements within
particular nation states, are helping via technology, finances, and other
means to provide support for this distributed group of attackers only
complicates the entire story.
There will be many casualties besides the obvious victims in New York,
Arlington, Virginia, and Pennsylvania. Included in these victims will
be us, as our personal liberties and freedoms we have come to love and
know are being attacked. The time for action is now. There is plenty
to do for everyone, and it involves what we do best - hacking.
We built the Internet. I'm not just talking about the wires, and the
computers, but the *spirit* of the Internet. We developed the technologies
that allowed two people to communicate without eavesdropping by anyone,
including our government. We developed the forums into which we can
speak anonymously to others, *including* our government, to voice an
opinion without fear of reprisal. We created open circles that allowed
us to don and discard different masks at will -- and we could dance behind
these masks without fear of discovery or ridicule.
Many of the technologies we brought to this circle are a part of the
social fabric that makes up what is refered to as cyberspace. Even the
concept of masks -- alternate identities by which to hide -- are considered
the norm. In fact, many of us wear these masks like a Native American
dancer wears a mask, paint, and costume during a sacred dance -- the
Indian knows he is not the Eagle, we who are watching the dance know he
is not the Eagle, but the mask, the paint, and the costume *bring out*
the Eagle within.
The "You've Got Mail" crowd has some expectation of privacy and security
when it comes to participating in this great global dance, but unless we
are there to point out issues of privacy and security, we will not be heard.
What have hackers done? Well, we have created a wealth of tools. And like
many tools, they can be used for good or evil. "A hammer can be used to
build a house or break into one" seems to be a popular sentiment. Yes,
we all realize this is somewhat two-faced - some tools have generic
features, other tools do include features whose purpose solely benefit
the intruder and not the administrator, including tools I have written
myself. But we have written a lot of tools.
Using these tools we have created, some of us have destroyed. You cannot
step around this fact. The only defense we have is that in any grouping of
society, you have a few bad people. So we will always have to live with
that aspect of that part of our society.
We disclose. Some of us disclose fully, which is what most of us believe
is the best way. Unfortunately some people take advantage of this, and
destroy instead of create. As a result, there are two camps forming.
One is composed of people like Marcus Ranum and Russ Cooper who
believe in limited disclosure among a group of "professionals". Professionals
in this case seems to be code for "not hackers". A second group of people,
comprised of people involved with the anti-security.is folk believe that
hackers themselves should stop sharing except within very tight and trusted
circles. I know people personally in that second camp, in fact several ex-NMRC
members believe that way, and have returned to the underground.
So here's a question to get us really thinking - why are hackers feared?
Probably because it boils down to this simple fact -- if someone comes up
with a method of using a piece of technology in a way beyond what it was
intended, a hacker will tend to admire the method. Additionally, injection
of humor and/or irony will add extra points. Here is the point that the
rest of society tends to miss -- this admiration occurs even if the method
is illegal. In other words, if a hacker breaks into a system and defaces a
web site, but does so in a technically interesting way, or even
humorously, there will be a level of respect for that individual, even if
the admiring hacker knows it is illegal and is something that they
themselves would never do. Case in point: check out the web defacements of
Evil Angelica -- they are oftentimes humorous and even poke fun of
defacement itself.
What is even more disturbing for the powers that run our society is that
we are willing to cross all kinds of social boundaries in our quest for
knowledge. You see, the Internet has done wonders for breaking down
barriers, including international borders. Probably the first group to
fully realize the potential of this concept were the people that helped
build the Internet. No, not the military industrial complex in the middle
of the cold war, but the hackers working at educational institutions that
began linking up the various regional nets to form what we now know as the
Internet. They understood the barriers. Within academic circles they had
been bypassing these barriers for years -- but now, the process is a lot
more simplified and even automated. WE know how to share information. WE
know how to contact each other quickly. WE have almost another language, a
technological shorthand where we can say things like "port 80, 53, and 25
are open to the entire DMZ and they're running NT," and that is basically
a complete and total security assessment.
But this doesn't explain the fears. Society at large fears us because the
media says they should, and this is reinforced with inane and technically
inaccurate portrayals of what a hacker is in television and movies. But we
have law enforcement and government agencies that appear to fear us. Of
course, we could simply say they are stupid or just "don't get us", but
I'd like for you to think about this for a minute. They are not stupid.
They track down criminals using the most minute of clues. They have
developed sophisticated technologies. They actually are smart. So why are
they telling the media to fear us, and that we are all bad? I'm serious,
we need to think about this.
For starters, who benefits? This is one of those techniques you use to
find out who is behind something, so let's look at who really benefits the
most from this "fear".
One obvious answer is that these law enforcement agencies get budget
money. "We need more money to fight cybercrime, look at all of the website
defacements, no one trusts online shopping which is the wave of the
future, to save the economy we need more money to make the Internet safe
and free from crime." Obviously law enforcement benefits.
Governments benefit. They can tax us more for the money, they can say they
are helping to alleviate fears, they can even do it bipartisanly, which
always make them look good.
For the more paranoid, if you believe in a secret society trying to create
a world government, think about this. Various international treaties are
being created. Some are regional, say maybe just the European Union,
others are more global. They create these treaties regarding cybercrime
and intellectual property rights that are basically impossible to enforce
or control without a governing enforcement body who has multinational
authority. Now would cybercrime and the fear of hackers create the New
World Order? No. At least not alone. But it does provide one more example.
What would bring about such a New World Order? A single unifying event,
one where the exploitation of technology allows a small group of individuals
to leverage technology to amplify their power to a previously unheard
degree? Say like a distributed denial of service attack? Or more like
flying a plane into a building? I'll come back to this point in a minute.
Remember, when it comes to hackers, the media *wants* sensationalism.
Why? To sell adspace and make money, not inform the public. They have
spent years conditioning the masses to want trite bullshit. The
soundbite. A lot of reporters don't like interviewing me because I tell
the truth. They ask "what is the biggest threat computer users face?"
When I answer them "underpatched systems" they are often disappointed.
"No everyone says that, what about hackers, what about cyberterrorists?"
Hmm, it sounds suspiciously like they've answered the question for me.
Sidenote to the media: this is why hackers don't like you.
Now I have exaggerated things to an extent to prove a point here, but we
do have a world that hates and fears us, a media machine that could give a
rat's ass whether we speak the truth or not, and governmental law
enforcement and commercial security companies using us to make money or
increase budgets. Things seem to be getting worse. Technological
de-evolution.
So what can we do? First off, let's look at some of the things we have
done. I'll skip the breaking into systems and other similar things because
that is what most of the rest of the talks at Toorcon are about. However,
I'd like to cover the supposed hacktivist activity.
Web site defacements are *not* hacktivism. They are usually boring, and if
there is any message that is political, it is added on as an afterthought.
I'd invite everyone to take a look at some of the articles from the
Attrition folks at attrition.org on hacktivism. They have done a lot of
research into this area, including an expose on the entirely
self-fulfulling-prophecy media-created Chinese-American hacker war of
defacements. They have also released an article that decries the supposed
"call to arms" for hackers to attack various web sites in middle-eastern
countries. I have a few words to say about that -- don't. Just say no
to web site hacking, in particular against an entire country's address space.
Remember, the enemy in this case is not a nation state, but a distributed
group of mobile terrorists. Attacking all of the web sites in Iraq is not
only pointless, but a wonderful waste of time. While a small group within
Iraq may be funding terrorism, the entire nation is not. The same with
Pakistan, United Arab Emirates, and even Afghanistan (whose exiled legitimate
government is against the Taliban who have seized control).
What is worse is that some people really do think that web site defacement
is a way to get your political message out. The average defacer's "work"
is never seen by the public at large, the message is never reported by the
media accurately, and being that you are lumped in with a bunch of lousy
grafitti artists the message is dismissed out of hand anyway. No one
should be defacing web sites at all, with the possible exception of Evil
Angelica, who is quite entertaining.
Do you folks really want to piss people off? STOP DEFACING WEBSITES. How
will these government agencies get their budgets? How will security
companies sell penetration tests? To quote one of those movies "the
winning move is not to play."
What about doing things like actually finding the bank accounts, the
real Internet accounts of the terrorists? What if in your excitement you
manage to 1) tip off the terrorists because you are not as elite as you
thought, 2) you taint evidence by your intrusion and none of it can be
used in court so the terrorists go free, or the more likely 3) due to
your poking around in the site you are labeled a terrorist, and are busted
as a co-conspirator to one of the world's most henious crimes.
Have there been acts of what you could truly call hacktivism? Actually
there are a few, but they are not widely reported because either they
don't fit well into the soundbite category, or they offer up challenges
that are beyond a reporter's knowledge. Now there are excepts, but I think
most reporters are thinking "how do I sell *this* to my editor?" rather
than "this is something truly worthy of wide coverage!"
An example: Rubberhose. I encourage everyone to visit www.rubberhose.org.
This is a great example of hackers coding together to help out the
oppressed. Rubberhose is basically a crypto solution for people who are
afraid they are going to get their passphrase literally beat out of them.
The target user would be a human rights activist who writes up,
photographs, and digitizes information about human rights abuses in a
foreign country, and wants to keep from getting a passphrase beaten out of
them that could decrypt the data and endanger the lives of the people the
activist is trying to save.
Another example: Peekabooty. What Hacktivismo and the Cult of the Dead Cow
are developing are methods to allow suppressed people to bypass
governmental technological boundaries such as firewalls to get to
information. Their Hacktivismo Declaration is an important document simply
because of it's solidifying nature.
There are other smaller examples of such triumphs that the public nevers
hears about. And do you know what? Rubberhose and Peekabooty scare the
shit out of these governmental types, including the U.S. government. Do
you know why? Do you know why the really smart people who control the
transglobal entities, the secret societies that suppress knowledge and run
the puppet media and economies of the world really REALLY fear us?
The real fear is that we will organize. That is it in a nutshell. If we,
the hackers, the ones who know how the wiring works, the ones who know how
the ones and zeroes are all strung together, the ones that build and
topple technological infrastructures as a hobby actually *unite*, we could
do anything. There is no system, no transnational corporation, no
government agency, or computerized secret that we as a group cannot
uncover and gain access to.
Besides supporting projects such as these, I am going to bring up some
rather controversial material. Now I am not suggesting that you should
*not* support human rights, but remember that there are other
transgressions against people, against the environment, and against
knowledge itself that are being perpetrated by tightly-knit circles.
Imagine if one of us heard of a transnational that held a secret such as
that -- one that was proprietary, but disclosure could result in saving
lives. And imagine if we were organized. This is why we are feared. And
quite frankly, because of such things as what Erin Brochavich and others
have uncovered, what perhaps YOU have uncovered, we really do need to
organize. Most of these transnationals care only about their one true god
with two heads -- money and power.
In July I recommended we join forces and start helping out others such as
Amnesty International, and any other group that risks life and limb to
help their fellow man. We could learn a lot about protecting and
protesting, and they could learn about technology from us. There are those
of us trying to band together to make this type of symbiosis actually
happen, and work.
Now as I stated before, things have accelerated much faster than I
originally anticipated. In fact, it is possible that we are too late.
The terrorist attack upon the WTC and the Pentagon acted as an acelerator
for events already in motion. With the DMCA, WIPO, and other actions by
the WTO, including the arrest of Dmitry Sklyarov, the groundwork was
already being set. Add in a rampant terrorist attack, throw in completely
unsubstantiated theory regarding terrorists using stegonagraphy in
pictures on Ebay and Amazon, and you have knee-jerk legislation to quickly
erode our already-shrinking rights.
Which brings us to widdershins. The opening of closed circles, to release
their magick.
As I have stated numerous times before, we are prisoners. The key to
unlocking our shackles is information. That is why we say information wants
to be free. A lot of this information has been gathered and closed away
from the rest of us, some say to protect others, some say to protect us
from themselves.
Here is a little bit of information for you. I will tell you how your own
talents are being used against you.
You are being used by the system. So am I. We have to work, and work hard,
all of us, because nothing is free. None of us live in freedom, because we
are enslaved to various systems such as credit card debt, the entire
health care and insurance cycle, and mortages and car payments. We are
slaves of the economy.
Know this. Your skills are being tapped into by others. The great "them."
They. They watch our web sites, sniff our email, watch our posts to full
disclosure mailing lists. They study our habits and very thought
processes. They use this to say we are a danger to society, yet use our
honed skills to build their defenses.
The journalist Lew Koch labeled the neo-McCarthyism surrounding technical
issues such as DeCSS, Napster, and other hotbeds of controversy regarding
our technical toys "cybersteria". People have been warning you for months,
people such as Lew, the 2600 guys, and others such as myself that the
government will continue to use legislation to reign in and cut off our
rights -- one by one.
Next on the chopping block -- encryption. Legislation is being discussed
this week to make hacking into a computer system a terrorist act, and
further legislation is being introduced that demands any encryption have
a backdoor in it for the government to use under the same lame guidelines
that they have for search and seizures. If the trend continues, expect
the usage of non-government-backdoored encryption to be a terrorist act,
full disclosure of security issues and hack tool development to be
aiding and abetting a terrorist, and further and further intrusions into
our personal freedoms both on and off line. This is not an idle threat.
A number of us have been making these dire predictions for a while now.
I said last July that it was time to get organized, and start learning
how to fight. Unfortunately, due to unforseen events that happened on
September 11th, the ripple effect has accellerated the actions we warned
you about.
It is the nature of governments to try and maintain control over its
people, and preserve the infrastructures that sustain it. With the
de-evolution of the nation state, and the rise of the transnational state,
we must realize that we, the computer underground, are more of a target of
various governments and transnational states than ever before. Because we
are a provisional government away from becoming a transnational state
ourselves. As I said earlier, if we were organized they would REALLY fear
us, because we would be unstoppable.
We are a headless provisional government, with hackers holding the wires
instead of the infamous "them". And they can't control it, and that drives them
absolutely mad.
Are we on the right track? Are we moving forward properly? Let me tell
you a quick story about a run-in I had last July on the last day of DefCon.
Sunday morning, July 15th. I was minding my own business when a group of
three individuals approached me. All had that short-hair, clean-shaven,
casual-but-not-too-casual look that at DefCon screams FEDERAL AGENT. They
came up and said, "Mark, can we talk to you privately for a minute?" Two
of them whipped out ID and one said, "We're NSA, we thought we'd tell you
that up front so you don't freak out." Of course, wanting to speak to me
privately was freaking me out. I honestly thought I was about 30 seconds
from handcuffs. Had I known about the DefCon bust of Dmitry Sklyarov I
would dropped a chalupa right there.
"Sure, no problem." I glanced around the room, kind of hoping I would spot
Jennifer Grannick. I was trying to play it cool, which in all honesty
involved me not breaking out into a run.
"We have questions about your talk. We want to know what your sources
were, and how you reached your conclusions. You don't have to name names,
just how you came up with what you came up with." Hmm, not what I
expected.
I explained why I thought there was no dependency at this point in time
between the economy and the Internet ecommerce craze. As soon as the
economy turned a little south, a bunch of dot coms went belly up, not the
other way around. People tighten their belts, and they give up some of the
frivolous things like ordering pizza online.
I explained how I thought that the nation state was in decline, and how
the rising transnationals were the first major steps towards a world
government. How regional and global treaties could not be truly enforced
without a world government behind it. How while I believed that my vote is
pointless within the U.S. (the last election proved that), but completely
and totally worthless in a world government that might be partially put
together by oppressive regimes.
I explained why I believed that the NSA would never allow export of
crypto unless they could crack it, and that the entire "we gave in to
public pressure" thing with crypto export was just a ruse that made the
privacy and crypto folks think they had gained something, when they gained
nothing. Based upon this I gave my estimates on what I thought their true
crypto capabilities were.
During my answers they all smiled, and one guy was nodding his head like
he knew I was going to answer that way and had just won a bet on it.
"Good. Excellent work. We really liked your talk."
Hmmm. This didn't make much sense coming from the NSA. Did I not imply by
inference that they were evil? Was my talk not plain enough? Maybe I
wasn't clear exactly how evil I thought they were. So I asked them why
they liked it. They spoke briefly with me about how they thought the stuff
on transnationalism was very good, especially since according to some of
the "social modeling software" output the idea of a world government was
an inevitability. A kind of natural evolution of our global society. The
debate within the agency was whether to get on board with the idea of a
world government so they could "get their hooks in" or fight it tooth and
nail because the good ole USA is the numero uno game in town.
That was quite interesting, especially in a quick talk I had with yet
another NSA employee right before I hopped into a cab with Richard Thieme
to the airport for my flight which confirmed some of this. Ok, maybe not
confirmed, but interesting. This other NSA guy echoed the same sentiment,
and he felt my talk was actually patriotic.
Anyway, I asked these three guys about the crypto stuff. I told them "I
think you can cut through 128bit like butter as in real time decryption so
you can tap into SSL, I think you can brute force 1024bit in a day and
2048bit in a week. I think this entire crypto export thing is a crock of
shit." I remember thinking to myself, "'Crock of shit'? Is that as
intellectual as you can get?"
"Well, of course you're right."
No way. "On all counts?"
"Not exactly, but close enough."
Again with the grins. I was standing there waiting for the other shoe to
drop. It finally did.
"Like you said in your talk, of course we will deny it."
Again I became the supreme intellectual, and said to them, "Well I don't
believe a fucking word you tell me." They laughed, saying things like
"good for you."
And then they decided to fuck with my head a little, which was probably
the point of their entire discussion with me anyway.
"Of course we could be just telling you this stuff because it is
disinformation designed to undermine your thought processes. Or we could
be lacing the true with lies, hoping you try to find both, again to
undermine you. Or we could be just honest guys who liked your talk.
Anyway, you seem to have potential. Keep up the good work." And they left.
I mean damnit. What a mindfuck.
So get involved. Work with human rights groups, this is neeeded now more
than ever. Work with encryption, learn it, and start archiving tools.
Develop stealth communication technologies, even develop alternatives to
the Internet -- look at the work being done at guerrilla.net for a
wireless alternative.
[announcements, discuss RAZOR, nmrcOS beta, mailing list]
We are hackers. We adapt. If we are outlawed on the Internet, we will
circumvent our shackles, maybe return to our BBS networks of old, but we
will still share our information, we will still get our message out, we
will not be suppressed.
They will try their disinformation subterfuge, and try to cloud your minds
with petty arguments such as the full disclosure debate, open source vs.
closed source, and the technical interpretations of our work. But it will
only strengthen our resolve.
They will try to stop us from entering their sacred little circles by
chopping off the heads of our leaders. Well guess what? There will be the
occasional rallying battle cry by an individual or group, but there are no
real leaders, only resolve and raw unbridled intellect.
Black hats. White hats. Grey hats. Crackers. Script kiddies. You can use
your terms to try and subdivide us and pit us against one another. It
won't work. WE ARE HACKERS.
In closing I'd like to use a traditional Wiccan saying after opening
acircle. The circle is open, yet unbroken. Merry meet, merry part, and
merry meet again. Thank you, and blessed be.